forgejo actions: disable native for now

Merge branch 'forgejo-runner' of ifsr.de:wurzel/fruitbasket into forgejo-runner
forgejo: initial runner configuration
2024-06-03 12:17:34 +02:00 · 2024-06-03 12:15:07 +02:00 · 2024-06-03 12:13:52 +02:00 · 2024-04-11 15:31:31 +02:00
32 changed files with 213 additions and 1234 deletions
--- a/flake.lock
+++ b/flake.lock
@ -3,7 +3,9 @@
    "course-management": {
      "inputs": {
        "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": [
          "nixpkgs"
        ],
        "poetry2nix": "poetry2nix"
      },
      "locked": {
@ -40,22 +42,6 @@
        "url": "https://git.ifsr.de/ese/manual-website"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
        "lastModified": 1673956053,
        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems"
@ -110,24 +96,6 @@
        "type": "github"
      }
    },
    "flake-utils_4": {
      "inputs": {
        "systems": "systems_5"
      },
      "locked": {
        "lastModified": 1681202837,
        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "kpp": {
      "inputs": {
        "nixpkgs": [
@ -135,11 +103,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1724255946,
+        "lastModified": 1708628927,
-        "narHash": "sha256-YVT/QE2PCDzx4eq1i3PqOOpQVXJstN18e0sFB/UbAY0=",
+        "narHash": "sha256-1ObvmmEzbW2YjY/jJyfOoxhxIe54zcsOBMzgehnclRg=",
        "owner": "fsr",
        "repo": "kpp",
-        "rev": "ce98b985201a5453aee708a3fc13bbccf2357f8e",
+        "rev": "05e370097af21ddb776bec907942c60e6aebc394",
        "type": "github"
      },
      "original": {
@ -177,11 +145,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1724576102,
+        "lastModified": 1716170277,
-        "narHash": "sha256-uM7n5nNL6fmA0bwMJBNll11f4cMWOFa2Ni6F5KeIldM=",
+        "narHash": "sha256-fCAiox/TuzWGVaAz16PxrR4Jtf9lN5dwWL2W74DS0yI=",
        "owner": "nix-community",
        "repo": "nix-index-database",
-        "rev": "e333d62b70b179da1dd78d94315e8a390f2d12e5",
+        "rev": "e0638db3db43b582512a7de8c0f8363a162842b9",
        "type": "github"
      },
      "original": {
@ -190,35 +158,45 @@
        "type": "github"
      }
    },
    "nix-minecraft": {
      "inputs": {
        "flake-compat": "flake-compat",
        "flake-utils": "flake-utils_3",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1724982042,
        "narHash": "sha256-IwHIZYo1fyloQxvBy15QVzMALNEa7Jo6tzXVJj7U9Ws=",
        "owner": "Infinidoge",
        "repo": "nix-minecraft",
        "rev": "32b632e29b141cc4c441b6e5504d33a9564dc3e6",
        "type": "github"
      },
      "original": {
        "owner": "Infinidoge",
        "repo": "nix-minecraft",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1701253981,
+        "lastModified": 1716361217,
-        "narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=",
+        "narHash": "sha256-mzZDr00WUiUXVm1ujBVv6A0qRd8okaITyUp4ezYRgc4=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58",
+        "rev": "46397778ef1f73414b03ed553a3368f0e7e33c2f",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-23.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1716061101,
        "narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "release-23.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
        "lastModified": 1716509168,
        "narHash": "sha256-4zSIhSRRIoEBwjbPm3YiGtbd8HDWzFxJjw5DYSDy1n8=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "bfb7a882678e518398ce9a31a881538679f6f092",
        "type": "github"
      },
      "original": {
@ -228,39 +206,7 @@
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1721524707,
        "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "release-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1725001927,
        "narHash": "sha256-eV+63gK0Mp7ygCR0Oy4yIYSNcum2VQwnZamHxYTNi+M=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "6e99f2a27d600612004fbd2c3282d614bfee6421",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_3": {
      "locked": {
        "lastModified": 1682134069,
        "narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=",
@ -325,8 +271,8 @@
        "ese-manual": "ese-manual",
        "kpp": "kpp",
        "nix-index-database": "nix-index-database",
-        "nix-minecraft": "nix-minecraft",
+        "nixpkgs": "nixpkgs",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs-unstable": "nixpkgs-unstable",
        "print-interface": "print-interface",
        "sops-nix": "sops-nix",
        "vscode-server": "vscode-server"
@ -340,11 +286,11 @@
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1723501126,
+        "lastModified": 1716400300,
-        "narHash": "sha256-N9IcHgj/p1+2Pvk8P4Zc1bfrMwld5PcosVA0nL6IGdE=",
+        "narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "be0eec2d27563590194a9206f551a6f73d52fa34",
+        "rev": "b549832718b8946e875c016a4785d204fcfc2e53",
        "type": "github"
      },
      "original": {
@ -412,21 +358,6 @@
        "type": "github"
      }
    },
    "systems_5": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "treefmt-nix": {
      "inputs": {
        "nixpkgs": [
@ -451,8 +382,8 @@
    },
    "vscode-server": {
      "inputs": {
-        "flake-utils": "flake-utils_4",
+        "flake-utils": "flake-utils_3",
-        "nixpkgs": "nixpkgs_3"
+        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
        "lastModified": 1713958148,
--- a/flake.nix
+++ b/flake.nix
@ -1,6 +1,7 @@
 {
  inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
    nix-index-database.url = "github:nix-community/nix-index-database";
@ -17,10 +18,8 @@
    course-management = {
      url = "github:fsr/course-management";
-      # inputs.nixpkgs.follows = "nixpkgs";
+      inputs.nixpkgs.follows = "nixpkgs";
    };
    nix-minecraft.url = "github:Infinidoge/nix-minecraft";
    nix-minecraft.inputs.nixpkgs.follows = "nixpkgs";
  };
  outputs =
    { self
@ -32,14 +31,12 @@
    , vscode-server
    , course-management
    , print-interface
    , nix-minecraft
    , ...
    }@inputs:
    let
      supportedSystems = [ "x86_64-linux" ];
      forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
      pkgs = forAllSystems (system: nixpkgs.legacyPackages.${system});
    in
    {
      packages = forAllSystems (system: rec {
@ -71,7 +68,6 @@
            ese-manual.nixosModules.default
            course-management.nixosModules.default
            vscode-server.nixosModules.default
            nix-minecraft.nixosModules.minecraft-servers
            ./hosts/quitte/configuration.nix
            ./options
@ -82,26 +78,21 @@
            ./modules/courses
            ./modules/wiki
            ./modules/matrix
            ./modules/minecraft
            ./modules/keycloak
            ./modules/nix-serve.nix
            ./modules/hedgedoc.nix
            ./modules/padlist.nix
            ./modules/nextcloud.nix
            ./modules/keycloak.nix
            ./modules/monitoring.nix
            ./modules/vaultwarden.nix
            ./modules/forgejo
            ./modules/kanboard.nix
            ./modules/zammad.nix
            ./modules/decisions.nix
            ./modules/stream.nix
            # ./modules/struktur-bot.nix
            {
-              nixpkgs.overlays = [
+              nixpkgs.overlays = [ self.overlays.default ];
                self.overlays.default
                nix-minecraft.overlay
              ];
              sops.defaultSopsFile = ./secrets/quitte.yaml;
            }
          ];
--- a/hosts/quitte/configuration.nix
+++ b/hosts/quitte/configuration.nix
@ -1,4 +1,4 @@
-{ pkgs, config, ... }:
+{ pkgs, ... }:
 {
  imports =
@ -16,7 +16,18 @@
  # boot.kernelParams = [ "video=VGA-1:1024x768@30" ];
  boot.loader.efi.canTouchEfiVariables = true;
  boot.supportedFilesystems = [ "zfs" ];
-  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+  # boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
  # Pin Kernel Version as 6.6.28 has a broken networking driver
  boot.kernelPackages = pkgs.linuxPackagesFor (pkgs.linux_6_6.override {
    argsOverride = rec {
      src = pkgs.fetchurl {
        url = "mirror://kernel/linux/kernel/v6.x/linux-${version}.tar.xz";
        sha256 = "sha256-Y55QBg48jyPtAXyxDP6sxrqI/1WDgSu3aFm0zGoSgpE=";
      };
      version = "6.6.27";
      modDirVersion = "6.6.27";
    };
  });
  services.zfs = {
    trim.enable = true;
--- a/hosts/tomate/configuration.nix
+++ b/hosts/tomate/configuration.nix
@ -50,13 +50,13 @@
  services.xserver.enable = true;
  # Enable the KDE Plasma Desktop Environment.
-  services.displayManager.sddm.enable = true;
+  services.xserver.displayManager.sddm.enable = true;
  services.xserver.desktopManager.plasma5.enable = true;
  # Configure keymap in X11
  services.xserver = {
-    xkb.layout = "de";
+    layout = "de";
-    xkb.variant = "";
+    xkbVariant = "";
  };
  # Configure console keymap
@ -90,7 +90,7 @@
  services.avahi = {
    enable = true;
-    nssmdns4 = true;
+    nssmdns = true;
    openFirewall = true;
    publish = {
      enable = true;
--- a/modules/core/bacula.nix
+++ b/modules/core/bacula.nix
@ -26,10 +26,7 @@
      mailcommand = "${pkgs.bacula}/bin/bsmtp -f \"Bacula <bacula@${config.networking.domain}>\" -s \"Bacula report" %r"
      mail = root+backup = all, !skipped
    '';
-    director."abel-dir" = {
+    director."abel-dir".password = "@${config.sops.secrets."bacula/password".path}";
      password = "@${config.sops.secrets."bacula/password".path}";
      tls.enable = false;
    };
  };
  environment.etc."bacula/bconsole.conf".text = ''
    Director {
--- a/modules/core/base.nix
+++ b/modules/core/base.nix
@ -1,5 +1,6 @@
 { pkgs, config, ... }: {
  nix = {
    package = pkgs.nixUnstable; # or versioned attributes like nix_2_4
    extraOptions = ''
      experimental-features = nix-command flakes
    '';
@ -112,7 +113,6 @@
    eza
    zsh
    unzip
    yazi
  ];
 }
--- a/modules/core/logging.nix
+++ b/modules/core/logging.nix
@ -3,7 +3,6 @@
  services.rsyslogd = {
    enable = true;
    defaultConfig = ''
      $FileCreateMode 0640
      :programname, isequal, "postfix" /var/log/postfix.log
      auth.*                          -/var/log/auth.log
--- a/modules/core/nginx.nix
+++ b/modules/core/nginx.nix
@ -7,10 +7,14 @@
        ({ name, ... }: {
          enableACME = true;
          forceSSL = true;
          # enable http3 for all hosts
          quic = true;
          http3 = true;
          # split up nginx access logs per vhost
          extraConfig = ''
            access_log /var/log/nginx/${name}_access.log;
            error_log /var/log/nginx/${name}_error.log;
            add_header Alt-Svc 'h3=":443"; ma=86400';
          '';
        })
      );
--- a/modules/decisions.nix
+++ b/modules/decisions.nix
@ -33,14 +33,14 @@ in
    };
  };
-  # systemd.services."decisions-to-db" = {
+  systemd.services."decisions-to-db" = {
-  #   script = ''
+    script = ''
-  #     set -eu
+      set -eu
-  #     ${pkgs.podman}/bin/podman exec decisions python tex_to_db.py
+      ${pkgs.docker}/bin/docker exec decisions python tex_to_db.py
-  #   '';
+    '';
-  #   serviceConfig = {
+    serviceConfig = {
-  #     Type = "oneshot";
+      Type = "oneshot";
-  #     User = "root";
+      User = "root";
-  #   };
+    };
-  # };
+  };
 }
--- a/modules/forgejo/default.nix
+++ b/modules/forgejo/default.nix
@ -22,6 +22,15 @@ in
  services.forgejo = {
    enable = true;
    package = pkgs.forgejo.overrideAttrs (_old: {
      patches = [
        # migration fix
        (pkgs.fetchpatch {
          url = "https://codeberg.org/forgejo/forgejo/commit/ae463c7c559e02975ce5e758d8780def978eebee.patch";
          hash = "sha256-cOXPvkLS0n+ynSBTrmEtumZ2PYBeCZmxPpFktqkw6Fo=";
        })
      ];
    });
    user = gitUser;
    group = gitUser;
    lfs.enable = true;
@ -70,8 +79,6 @@ in
        PROVIDER = "db";
      };
      actions.ENABLED = true;
      federation.ENABLED = true;
      webhook.ALLOWED_HOST_LIST = "*.ifsr.de";
    };
  };
--- a/modules/kanboard.nix
+++ b/modules/kanboard.nix
@ -1,65 +1,33 @@
-{ pkgs, config, lib, ... }:
+{ config, pkgs, ... }:
 let
  domain = "kanboard.${config.networking.domain}";
  domain_short = "kb.${config.networking.domain}";
  user = "kanboard";
  group = "kanboard";
 in
 {
-  users.users.${user} = {
+  sops.secrets."kanboard_env" = { };
    group = group;
    isSystemUser = true;
  };
  users.groups.${group} = { };
-  services.phpfpm.pools.kanboard = {
+  virtualisation.oci-containers = {
-    user = "kanboard";
+    containers.kanboard = {
-    group = "kanboard";
+      image = "ghcr.io/kanboard/kanboard:v1.2.36";
-    settings = {
+      volumes = [
-      "listen.owner" = config.services.nginx.user;
+        "kanboard_data:/var/www/app/data"
-      "pm" = "dynamic";
+        "kanboard_plugins:/var/www/app/plugins"
-      "pm.max_children" = 32;
+      ];
-      "pm.max_requests" = 500;
+      ports = [ "127.0.0.1:8045:80" ];
-      "pm.start_servers" = 2;
+      environmentFiles = [
-      "pm.min_spare_servers" = 2;
+        config.sops.secrets."kanboard_env".path
-      "pm.max_spare_servers" = 5;
+      ];
      "php_admin_value[error_log]" = "stderr";
      "php_admin_flag[log_errors]" = true;
      "catch_workers_output" = true;
    };
    phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
  };
  services.nginx.enable = true;
  services.nginx = {
    virtualHosts."${domain_short}" = {
      locations."/".return = "301 $scheme://${domain}$request_uri";
    };
    virtualHosts."${domain}" = {
-      root = "/srv/web/kanboard";
+      locations."/" = {
-      extraConfig = ''
+        proxyPass = "http://127.0.0.1:8045";
        index index.html index.php;
      '';
      locations = {
        "/" = {
          tryFiles = "$uri $uri/ =404";
        };
        "~ \.php$" = {
          extraConfig = ''
            try_files $uri =404;
            fastcgi_pass unix:${config.services.phpfpm.pools.kanboard.socket};
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_index index.php;
            include ${pkgs.nginx}/conf/fastcgi_params;
            include ${pkgs.nginx}/conf/fastcgi.conf;
            fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
          '';
        };
        "/data".return = "403";
      };
    };
  };
--- a/modules/keycloak/default.nix
+++ b/modules/keycloak/default.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, nixpkgs-unstable, ... }:
 let
  domain = "sso.${config.networking.domain}";
 in
@ -7,7 +7,7 @@ in
  services.keycloak = {
    enable = true;
    # we use unstable as the release in stable is insecure
-    # package = nixpkgs-unstable.legacyPackages.x86_64-linux.keycloak;
+    package = nixpkgs-unstable.legacyPackages.x86_64-linux.keycloak;
    settings = {
      http-port = 8086;
      https-port = 19000;
@ -20,9 +20,6 @@ in
      passwordFile = config.sops.secrets."keycloak/db".path;
    };
    initialAdminPassword = "plschangeme";
    themes = with pkgs ; {
      ifsr = keycloak_ifsr_theme;
    };
  };
  services.nginx.virtualHosts."${domain}" = {
    locations."/" = {
--- a/modules/keycloak/theme.nix
+++ b/modules/keycloak/theme.nix
@ -1,15 +0,0 @@
 { stdenv }:
 stdenv.mkDerivation rec {
  name = "keycloak_ifsr_theme";
  version = "1.1";
  src = ./theme;
  nativeBuildInputs = [ ];
  buildInputs = [ ];
  installPhase = ''
    mkdir -p $out
    cp -a login $out
  '';
 }
--- a/modules/keycloak/theme/login/resources/css/login.css
+++ b/modules/keycloak/theme/login/resources/css/login.css
@ -1,772 +0,0 @@
 .login-pf {
    background: none;
 }
 .login-pf body {
    background: url(../img/background.jpg) no-repeat center center fixed;
    background-size: cover;
    height: 100%;
 }
 /*IE compatibility*/
 .pf-c-form-control {
    font-size: 14px;
    font-size: var(--pf-global--FontSize--sm);
    border-width: 1px;
    border-width: var(--pf-global--BorderWidth--sm);;
    border-color: #EDEDED #EDEDED #8A8D90 #EDEDED;
    border-color: var(--pf-global--BorderColor--300) var(--pf-global--BorderColor--300) var(--pf-global--BorderColor--200) var(--pf-global--BorderColor--300);
    background-color: #FFFFFF;
    background-color: var(--pf-global--BackgroundColor--100);
    height: 36px;
    height: calc(var(--pf-c-form-control--FontSize) * var(--pf-c-form-control--LineHeight) + var(--pf-c-form-control--BorderWidth) * 2 + var(--pf-c-form-control--PaddingTop) + var(--pf-c-form-control--PaddingBottom));
    padding: 5px 0.5rem;
    padding: var(--pf-c-form-control--PaddingTop) var(--pf-c-form-control--PaddingRight) var(--pf-c-form-control--PaddingBottom) var(--pf-c-form-control--PaddingLeft);
 }
 textarea.pf-c-form-control {
 	height: auto;
 }
 .pf-c-form-control:hover, .pf-c-form-control:focus {
    border-bottom-color: #0066CC;
    border-bottom-color: var(--pf-global--primary-color--100);
    border-bottom-width: 2px;
    border-bottom-width: var(--pf-global--BorderWidth--md);
 }
 .pf-c-form-control[aria-invalid=true] {
    border-bottom-color: #C9190B;
    border-bottom-color: var(--pf-global--danger-color--100);
    border-bottom-width: 2px;
    border-bottom-width: var(--pf-global--BorderWidth--md);
 }
 .pf-c-check__label, .pf-c-radio__label {
 	font-size: 14px;
 	font-size: var(--pf-global--FontSize--sm);
 }
 .pf-c-alert.pf-m-inline {
    margin-bottom: 0.5rem; /* default - IE compatibility */
    margin-bottom: var(--pf-global--spacer--sm);
    padding: 0.25rem;
    padding: var(--pf-global--spacer--xs);
    border: solid #ededed;
    border: solid var(--pf-global--BorderColor--300);
    border-width: 1px;
    border-width: var(--pf-c-alert--m-inline--BorderTopWidth) var(--pf-c-alert--m-inline--BorderRightWidth) var(--pf-c-alert--m-inline--BorderBottomWidth) var(--pf-c-alert--m-inline--BorderLeftWidth);
    display: -ms-flexbox;
    display: grid;
    -ms-grid-columns: max-content 1fr max-content;
    grid-template-columns:max-content 1fr max-content;
    grid-template-columns: var(--pf-c-alert--grid-template-columns);
    grid-template-rows: 1fr auto;
    grid-template-rows: var(--pf-c-alert--grid-template-rows);
 }
 .pf-c-alert.pf-m-inline::before {
    position: absolute;
    top: -1px;
    top: var(--pf-c-alert--m-inline--before--Top);
    bottom: -1px;
    bottom: var(--pf-c-alert--m-inline--before--Bottom);
    left: 0;
    width: 3px;
    width: var(--pf-c-alert--m-inline--before--Width);
    content: ;
    background-color: #FFFFFF;
    background-color: var(--pf-global--BackgroundColor--100);
 }
 .pf-c-alert.pf-m-inline.pf-m-success::before {
    background-color: #92D400;
    background-color: var(--pf-global--success-color--100);
 }
 .pf-c-alert.pf-m-inline.pf-m-danger::before {
    background-color: #C9190B;
    background-color: var(--pf-global--danger-color--100);
 }
 .pf-c-alert.pf-m-inline.pf-m-warning::before {
    background-color: #F0AB00;
    background-color: var(--pf-global--warning-color--100);
 }
 .pf-c-alert.pf-m-inline .pf-c-alert__icon {
    padding: 1rem 0.5rem 1rem 1rem;
    padding: var(--pf-c-alert--m-inline__icon--PaddingTop) var(--pf-c-alert--m-inline__icon--PaddingRight) var(--pf-c-alert--m-inline__icon--PaddingBottom) var(--pf-c-alert--m-inline__icon--PaddingLeft);
    font-size: 16px;
    font-size: var(--pf-c-alert--m-inline__icon--FontSize);
 }
 .pf-c-alert.pf-m-success .pf-c-alert__icon {
    color: #92D400;
    color: var(--pf-global--success-color--100);
 }
 .pf-c-alert.pf-m-success .pf-c-alert__title {
    color: #486B00;
    color: var(--pf-global--success-color--200);
 }
 .pf-c-alert.pf-m-danger .pf-c-alert__icon {
    color: #C9190B;
    color: var(--pf-global--danger-color--100);
 }
 .pf-c-alert.pf-m-danger .pf-c-alert__title {
    color: #A30000;
    color: var(--pf-global--danger-color--200);
 }
 .pf-c-alert.pf-m-warning .pf-c-alert__icon {
    color: #F0AB00;
    color: var(--pf-global--warning-color--100);
 }
 .pf-c-alert.pf-m-warning .pf-c-alert__title {
    color: #795600;
    color: var(--pf-global--warning-color--200);
 }
 .pf-c-alert__title {
    font-size: 14px; /* default - IE compatibility */
    font-size: var(--pf-global--FontSize--sm);
    padding: 5px 8px;
    padding: var(--pf-c-alert__title--PaddingTop) var(--pf-c-alert__title--PaddingRight) var(--pf-c-alert__title--PaddingBottom) var(--pf-c-alert__title--PaddingLeft);
 }
 .pf-c-button{
    padding:0.375rem 1rem;
    padding: var(--pf-global--spacer--form-element) var(--pf-global--spacer--md);
 }
 /* default - IE compatibility */
 .pf-m-primary {
    color: #FFFFFF;
    background-color: #0066CC;
    background-color: var(--pf-global--primary-color--100);
 }
 /* default - IE compatibility */
 .pf-m-primary:hover {
    background-color: #004080;
    background-color: var(--pf-global--primary-color--200);
 }
 /* default - IE compatibility */
 .pf-c-button.pf-m-control {
    border: solid 1px;
    border: solid var(--pf-global--BorderWidth--sm);
    border-color: rgba(230, 230, 230, 0.5);
 }
 /*End of IE compatibility*/
 h1#kc-page-title {
    margin-top: 10px;
 }
 #kc-locale ul {
    background-color: #FFF;
    background-color: var(--pf-global--BackgroundColor--100);
    display: none;
    top: 20px;
    min-width: 100px;
    padding: 0;
 }
 #kc-locale-dropdown{
    display: inline-block;
 }
 #kc-locale-dropdown:hover ul {
    display:block;
 }
 /* IE compatibility */
 #kc-locale-dropdown a {
    color: #6A6E73;
    color: var(--pf-global--Color--200);
    text-align: right;
    font-size: 14px;
    font-size: var(--pf-global--FontSize--sm);
 }
 /* IE compatibility */
 a#kc-current-locale-link::after {
    content: 2c5;
    margin-left: 4px;
    margin-left: var(--pf-global--spacer--xs)
 }
 .login-pf .container {
    padding-top: 40px;
 }
 .login-pf a:hover {
    color: #0099d3;
 }
 #kc-logo {
    width: 100%;
 }
 div.kc-logo-text {
    background-image: url(../img/agdsn_logo.png);
    background-repeat: no-repeat;
       background-size: auto;
   position: relative;
    top: 0%;
    left: 25%;
    width: 950px;
  height: 250px;
 }
 div.kc-logo-text span {
    display: none;
 }
 #kc-header {
    color: #ededed;
    overflow: visible;
    white-space: nowrap;
 }
 #kc-header-wrapper {
    font-size: 29px;
    text-transform: uppercase;
    letter-spacing: 3px;
    line-height: 1.2em;
    padding: 62px 10px 20px;
    white-space: normal;
 }
 #kc-content {
    width: 100%;
 }
 #kc-attempted-username {
    font-size: 20px;
    font-family: inherit;
    font-weight: normal;
    padding-right: 10px;
 }
 #kc-username {
    text-align: center;
    margin-bottom:-10px;
 }
 #kc-webauthn-settings-form {
    padding-top: 8px;
 }
 #kc-form-webauthn .select-auth-box-parent {
    pointer-events: none;
 }
 #kc-form-webauthn .select-auth-box-desc {
    color: var(--pf-global--palette--black-600);
 }
 #kc-form-webauthn .select-auth-box-headline {
    color: var(--pf-global--Color--300);
 }
 #kc-form-webauthn .select-auth-box-icon {
    flex: 0 0 3em;
 }
 #kc-form-webauthn .select-auth-box-icon-properties {
    margin-top: 10px;
    font-size: 1.8em;
 }
 #kc-form-webauthn .select-auth-box-icon-properties.unknown-transport-class {
    margin-top: 3px;
 }
 #kc-form-webauthn .pf-l-stack__item {
    margin: -1px 0;
 }
 #kc-content-wrapper {
    margin-top: 20px;
 }
 #kc-form-wrapper {
    margin-top: 10px;
 }
 #kc-info {
    margin: 20px -40px -30px;
 }
 #kc-info-wrapper {
    font-size: 13px;
    padding: 15px 35px;
    background-color: #F0F0F0;
 }
 #kc-form-options span {
    display: block;
 }
 #kc-form-options .checkbox {
    margin-top: 0;
    color: #72767b;
 }
 #kc-terms-text {
    margin-bottom: 20px;
 }
 #kc-registration {
    margin-bottom: 0;
 }
 /* TOTP */
 .subtitle {
    text-align: right;
    margin-top: 30px;
    color: #909090;
 }
 .required {
    color: #A30000; /* default - IE compatibility */
    color: var(--pf-global--danger-color--200);
 }
 ol#kc-totp-settings {
    margin: 0;
    padding-left: 20px;
 }
 ul#kc-totp-supported-apps {
    margin-bottom: 10px;
 }
 #kc-totp-secret-qr-code {
    max-width:150px;
    max-height:150px;
 }
 #kc-totp-secret-key {
    background-color: #fff;
    color: #333333;
    font-size: 16px;
    padding: 10px 0;
 }
 /* OAuth */
 #kc-oauth h3 {
    margin-top: 0;
 }
 #kc-oauth ul {
    list-style: none;
    padding: 0;
    margin: 0;
 }
 #kc-oauth ul li {
    border-top: 1px solid rgba(255, 255, 255, 0.1);
    font-size: 12px;
    padding: 10px 0;
 }
 #kc-oauth ul li:first-of-type {
    border-top: 0;
 }
 #kc-oauth .kc-role {
    display: inline-block;
    width: 50%;
 }
 /* Code */
 #kc-code textarea {
    width: 100%;
    height: 8em;
 }
 /* Social */
 .kc-social-links {
    margin-top: 20px;
 }
 .kc-social-provider-logo {
    font-size: 23px;
    width: 30px;
    height: 25px;
    float: left;
 }
 .kc-social-gray {
    color: #737679; /* default - IE compatibility */
    color: var(--pf-global--Color--200);
 }
 .kc-social-item {
    margin-bottom: 0.5rem; /* default - IE compatibility */
    margin-bottom: var(--pf-global--spacer--sm);
    font-size: 15px;
    text-align: center;
 }
 .kc-social-provider-name {
    position: relative;
    top: 3px;
 }
 .kc-social-icon-text {
    left: -15px;
 }
 .kc-social-grid {
    display:grid;
    grid-column-gap: 10px;
    grid-row-gap: 5px;
    grid-column-end: span 6;
    --pf-l-grid__item--GridColumnEnd: span 6;
 }
 .kc-social-grid .kc-social-icon-text {
    left: -10px;
 }
 .kc-login-tooltip {
    position: relative;
    display: inline-block;
 }
 .kc-social-section {
    text-align: center;
 }
 .kc-social-section hr{
    margin-bottom: 10px
 }
 .kc-login-tooltip .kc-tooltip-text{
    top:-3px;
    left:160%;
    background-color: black;
    visibility: hidden;
    color: #fff;
    min-width:130px;
    text-align: center;
    border-radius: 2px;
    box-shadow:0 1px 8px rgba(0,0,0,0.6);
    padding: 5px;
    position: absolute;
    opacity:0;
    transition:opacity 0.5s;
 }
 /* Show tooltip */
 .kc-login-tooltip:hover .kc-tooltip-text {
    visibility: visible;
    opacity:0.7;
 }
 /* Arrow for tooltip */
 .kc-login-tooltip .kc-tooltip-text::after {
    content:  ;
    position: absolute;
    top: 15px;
    right: 100%;
    margin-top: -5px;
    border-width: 5px;
    border-style: solid;
    border-color: transparent black transparent transparent;
 }
@media (min-width: 768px) {
    #kc-container-wrapper {
        position: absolute;
        width: 100%;
    }
    .login-pf .container {
        padding-right: 80px;
    }
    #kc-locale {
        position: relative;
        text-align: right;
        z-index: 9999;
    }
 }
@media (max-width: 767px) {
    .login-pf body {
        background: white;
    }
    #kc-header {
        padding-left: 15px;
        padding-right: 15px;
        float: none;
        text-align: left;
    }
    #kc-header-wrapper {
        font-size: 16px;
        font-weight: bold;
        padding: 20px 60px 0 0;
        color: #72767b;
        letter-spacing: 0;
    }
    div.kc-logo-text {
        margin: 0;
        width: 150px;
        height: 32px;
        background-size: 100%;
    }
    #kc-form {
        float: none;
    }
    #kc-info-wrapper {
        border-top: 1px solid rgba(255, 255, 255, 0.1);
        background-color: transparent;
    }
    .login-pf .container {
        padding-top: 15px;
        padding-bottom: 15px;
    }
    #kc-locale {
        position: absolute;
        width: 200px;
        top: 20px;
        right: 20px;
        text-align: right;
        z-index: 9999;
    }
 }
@media (min-height: 646px) {
    #kc-container-wrapper {
        bottom: 12%;
    }
 }
@media (max-height: 645px) {
    #kc-container-wrapper {
        padding-top: 50px;
        top: 20%;
    }
 }
 .card-pf form.form-actions .btn {
    float: right;
    margin-left: 10px;
 }
 #kc-form-buttons {
    margin-top: 20px;
 }
 .login-pf-page .login-pf-brand {
    margin-top: 20px;
    max-width: 360px;
    width: 40%;
 }
 /* Internet Explorer 11 compatibility workaround for select-authenticator screen */
@media all and (-ms-high-contrast: none),
 (-ms-high-contrast: active) {
    .select-auth-box-parent {
        border-top: 1px solid #f0f0f0;
        padding-top: 1rem;
        padding-bottom: 1rem;
        cursor: pointer;
    }
    .select-auth-box-headline {
        font-size: 16px;
        color: #06c;
        font-weight: bold;
    }
    .select-auth-box-desc {
        font-size: 14px;
    }
    .pf-l-stack {
        flex-basis: 100%;
    }
 }
 /* End of IE11 workaround for select-authenticator screen */
 .select-auth-box-arrow{
    display: flex;
    align-items: center;
    margin-right: 2rem;
 }
 .select-auth-box-icon{
    display: flex;
    flex: 0 0 2em;
    justify-content: center;
    margin-right: 1rem;
    margin-left: 3rem;
 }
 .select-auth-box-parent{
    border-top: 1px solid var(--pf-global--palette--black-200);
    padding-top: 1rem;
    padding-bottom: 1rem;
    cursor: pointer;
 }
 .select-auth-box-parent:hover{
    background-color: #f7f8f8;
 }
 .select-auth-container {
 }
 .select-auth-box-headline {
    font-size: var(--pf-global--FontSize--md);
    color: var(--pf-global--primary-color--100);
    font-weight: bold;
 }
 .select-auth-box-desc {
    font-size: var(--pf-global--FontSize--sm);
 }
 .select-auth-box-paragraph {
    text-align: center;
    font-size: var(--pf-global--FontSize--md);
    margin-bottom: 5px;
 }
 .card-pf {
    margin: 0 auto;
    box-shadow: var(--pf-global--BoxShadow--lg);
    padding: 0 20px;
    max-width: 500px;
    border-top: 4px solid;
    border-color: #0066CC; /* default - IE compatibility */
    border-color: var(--pf-global--primary-color--100);
 }
 /*phone*/
@media (max-width: 767px) {
    .login-pf-page .card-pf {
        max-width: none;
        margin-left: 0;
        margin-right: 0;
        padding-top: 0;
        border-top: 0;
        box-shadow: 0 0;
    }
    .kc-social-grid {
        grid-column-end: 12;
        --pf-l-grid__item--GridColumnEnd: span 12;
    }
    .kc-social-grid .kc-social-icon-text {
        left: -15px;
    }
 }
 .login-pf-page .login-pf-signup {
    font-size: 15px;
    color: #72767b;
 }
 #kc-content-wrapper .row {
    margin-left: 0;
    margin-right: 0;
 }
 .login-pf-page.login-pf-page-accounts {
    margin-left: auto;
    margin-right: auto;
 }
 .login-pf-page .btn-primary {
    margin-top: 0;
 }
 .login-pf-page .list-view-pf .list-group-item {
    border-bottom: 1px solid #ededed;
 }
 .login-pf-page .list-view-pf-description {
    width: 100%;
 }
 #kc-form-login div.form-group:last-of-type,
 #kc-register-form div.form-group:last-of-type,
 #kc-update-profile-form div.form-group:last-of-type {
    margin-bottom: 0px;
 }
 .no-bottom-margin {
    margin-bottom: 0;
 }
 #kc-back {
    margin-top: 5px;
 }
 /* Recovery codes */
 .kc-recovery-codes-warning {
    margin-bottom: 32px;
 }
 .kc-recovery-codes-warning .pf-c-alert__description p {
    font-size: 0.875rem;
 }
 .kc-recovery-codes-list {
    list-style: none;
    columns: 2;
    margin: 16px 0;
    padding: 16px 16px 8px 16px;
    border: 1px solid #D2D2D2;
 }
 .kc-recovery-codes-list li {
    margin-bottom: 8px;
    font-size: 11px;
 }
 .kc-recovery-codes-list li span {
    color: #6A6E73;
    width: 16px;
    text-align: right;
    display: inline-block;
    margin-right: 1px;
 }
 .kc-recovery-codes-actions {
    margin-bottom: 24px;
 }
 .kc-recovery-codes-actions button {
    padding-left: 0;
 }
 .kc-recovery-codes-actions button i {
    margin-right: 8px;
 }
 .kc-recovery-codes-confirmation {
    align-items: baseline;
    margin-bottom: 16px;
 }
 /* End Recovery codes */
--- a/modules/keycloak/theme/login/resources/img/background.jpg
+++ b/modules/keycloak/theme/login/resources/img/background.jpg
--- a/modules/keycloak/theme/login/theme.properties
+++ b/modules/keycloak/theme/login/theme.properties
@ -1,4 +0,0 @@
 parent=keycloak
 import=common/keycloak
 styles=css/login.css
--- a/modules/ldap/default.nix
+++ b/modules/ldap/default.nix
@ -1,4 +1,4 @@
-{ config, pkgs, system, ... }:
+{ config, pkgs, nixpkgs-unstable, system, ... }:
 let
  domain = "auth.${config.networking.domain}";
  seedSettings = {
@ -43,6 +43,15 @@ let
  };
 in
 {
  # Use portunus from unstable branch until 24.05 is here
  disabledModules = [ "services/misc/portunus.nix" ];
  imports = [ "${nixpkgs-unstable}/nixos/modules/services/misc/portunus.nix" ];
  nixpkgs.overlays = [
    (_self: _super: {
      inherit (nixpkgs-unstable.legacyPackages.${system}) portunus;
    })
  ];
  sops.secrets = {
    "portunus/admin-password".owner = config.services.portunus.user;
    "portunus/search-password".owner = config.services.portunus.user;
--- a/modules/mail/dovecot2.nix
+++ b/modules/mail/dovecot2.nix
@ -1,4 +1,4 @@
-{ lib, config, pkgs, ... }:
+{ config, pkgs, ... }:
 let
  hostname = "mail.${config.networking.domain}";
  dovecot-ldap-args = pkgs.writeText "ldap-args" ''
@ -16,10 +16,40 @@ let
 in
 {
  networking.firewall.allowedTCPPorts = [
    143 # IMAP
    993 # IMAPS
    4190 # Managesieve
  ];
  sops.secrets."dovecot_ldap_search".owner = config.services.dovecot2.user;
  environment.etc = {
    "dovecot/sieve-pipe/sa-learn-spam.sh" = {
      text = ''
        #!/bin/sh
        ${pkgs.rspamd}/bin/rspamc learn_spam
      '';
      mode = "0555";
    };
    "dovecot/sieve-pipe/sa-learn-ham.sh" = {
      text = ''
        #!/bin/sh
        ${pkgs.rspamd}/bin/rspamc learn_ham
      '';
      mode = "0555";
    };
    "dovecot/sieve/report-spam.sieve" = {
      source = ./report-spam.sieve;
      user = "dovecot2";
      group = "dovecot2";
      mode = "0544";
    };
    "dovecot/sieve/report-ham.sieve" = {
      source = ./report-ham.sieve;
      user = "dovecot2";
      group = "dovecot2";
      mode = "0544";
    };
  };
  services.dovecot2 = {
    enable = true;
    enableImap = true;
@ -71,18 +101,7 @@ in
    # set to satisfy the sieveScripts check, will be overridden by userdb lookups anyways
    mailUser = "vmail";
    mailGroup = "vmail";
-    sieve = {
+    sieveScripts = {
      # just pot something in here to prevent empty strings
      extensions = [ "notify" ];
      pipeBins = map lib.getExe [
        (pkgs.writeShellScriptBin "learn-ham.sh" "exec ${pkgs.rspamd}/bin/rspamc learn_ham")
        (pkgs.writeShellScriptBin "learn-spam.sh" "exec ${pkgs.rspamd}/bin/rspamc learn_spam")
      ];
      plugins = [
        "sieve_imapsieve"
        "sieve_extprograms"
      ];
      scripts = {
      before = pkgs.writeText "spam.sieve" ''
        require "fileinto";
@ -93,23 +112,6 @@ in
        }
      '';
    };
    };
    imapsieve.mailbox = [
      {
        # Spam: From elsewhere to Spam folder or flag changed in Spam folder
        name = "Spam";
        causes = [ "COPY" "APPEND" "FLAG" ];
        before = ./report-spam.sieve;
      }
      {
        # From Junk folder to elsewhere
        name = "*";
        from = "Spam";
        causes = [ "COPY" ];
        before = ./report-ham.sieve;
      }
    ];
    extraConfig = ''
      auth_username_format = %Ln
      passdb {
@ -150,6 +152,21 @@ in
      plugin {
        sieve_plugins = sieve_imapsieve sieve_extprograms
        sieve_global_extensions = +vnd.dovecot.pipe
        sieve_pipe_bin_dir = /etc/dovecot/sieve-pipe
        # Spam: From elsewhere to Spam folder or flag changed in Spam folder
        imapsieve_mailbox1_name = Spam
        imapsieve_mailbox1_causes = COPY APPEND FLAG
        imapsieve_mailbox1_before = file:/etc/dovecot/sieve/report-spam.sieve
        # Ham: From Spam folder to elsewhere
        imapsieve_mailbox2_name = *
        imapsieve_mailbox2_from = Spam
        imapsieve_mailbox2_causes = COPY
        imapsieve_mailbox2_before = file:/etc/dovecot/sieve/report-ham.sieve
        # https://doc.dovecot.org/configuration_manual/plugins/listescape_plugin/
        listescape_char = "\\"
      }
--- a/modules/mail/report-ham.sieve
+++ b/modules/mail/report-ham.sieve
@ -12,4 +12,4 @@ if environment :matches "imap.user" "*" {
  set "username" "${1}";
 }
-pipe :copy "learn-ham.sh" [ "${username}" ];
+pipe :copy "sa-learn-ham.sh" [ "${username}" ];
--- a/modules/mail/report-spam.sieve
+++ b/modules/mail/report-spam.sieve
@ -4,4 +4,4 @@ if environment :matches "imap.user" "*" {
  set "username" "${1}";
 }
-pipe :copy "learn-spam.sh" [ "${username}" ];
+pipe :copy "sa-learn-spam.sh" [ "${username}" ];
--- a/modules/mail/rspamd.nix
+++ b/modules/mail/rspamd.nix
@ -55,74 +55,6 @@ in
          path = /var/lib/rspamd/dkim/$domain.$selector.key;
        '';
        "reputation.conf".text = ''
          rules {
            ip_reputation = {
              selector "ip" {
              }
              backend "redis" {
                servers = "/run/redis-rspamd/redis.sock";
              }
              symbol = "IP_REPUTATION";
            }
            spf_reputation =  {
              selector "spf" {
              }
              backend "redis" {
                servers = "/run/redis-rspamd/redis.sock";
              }
              symbol = "SPF_REPUTATION";
            }
            dkim_reputation =  {
              selector "dkim" {
              }
              backend "redis" {
                servers = "/run/redis-rspamd/redis.sock";
              }
              symbol = "DKIM_REPUTATION"; # Also adjusts scores for DKIM_ALLOW, DKIM_REJECT
            }
            generic_reputation =  {
              selector "generic" {
                selector = "ip"; # see https://rspamd.com/doc/configuration/selectors.html
              }
              backend "redis" {
                servers = "/run/redis-rspamd/redis.sock";
              }
              symbol = "GENERIC_REPUTATION";
            }
          }
        '';
        "groups.conf".text = ''
            group "reputation" {
              symbols = {
                  "IP_REPUTATION_HAM" {
                      weight = 1.0;
                  }
                  "IP_REPUTATION_SPAM" {
                      weight = 4.0;
                  }
                  "DKIM_REPUTATION" {
                      weight = 1.0;
                  }
                  "SPF_REPUTATION_HAM" {
                      weight = 1.0;
                  }
                  "SPF_REPUTATION_SPAM" {
                      weight = 2.0;
                  }
                  "GENERIC_REPUTATION" {
                      weight = 1.0;
                  }
              }
          }
        '';
        "multimap.conf".text =
          let
@ -141,26 +73,22 @@ in
              filter = "email:domain";
              map = "/var/lib/rspamd/whitelist.sender.domain.map";
              action = "accept";
              regexp = true;
            }
            WHITELIST_SENDER_EMAIL {
              type = "from";
              map = "/var/lib/rspamd/whitelist.sender.email.map";
              action = "accept";
              regexp = true;
            }
            BLACKLIST_SENDER_DOMAIN {
              type = "from";
              filter = "email:domain";
              map = "/var/lib/rspamd/blacklist.sender.domain.map";
              action = "reject";
              regexp = true;
            }
            BLACKLIST_SENDER_EMAIL {
              type = "from";
              map = "/var/lib/rspamd/blacklist.sender.email.map";
              action = "reject";
              regexp = true;
            }
            BLACKLIST_SUBJECT_KEYWORDS {
              type = "header";
--- a/modules/minecraft/default.nix
+++ b/modules/minecraft/default.nix
@ -1,52 +0,0 @@
 { pkgs, config, lib, ... }:
 {
  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
    "minecraft-server"
  ];
  services.minecraft-servers = {
    enable = true;
    eula = true;
    servers.ifsr = {
      enable = true;
      package = pkgs.fabricServers.fabric-1_21;
      jvmOpts = "-Xmx8192M -Xms8192M";
    };
  };
  services.bluemap = {
    enable = true;
    host = "map.mc.ifsr.de";
    eula = true;
    onCalendar = "hourly";
    defaultWorld = "/srv/minecraft/ifsr/world";
  };
  services.nginx.virtualHosts."map.mc.ifsr.de".extraConfig = ''
    allow 141.30.0.0/16;
    allow 141.76.0.0/16;
    allow 217.160.244.15/32; # jonas uptime kuma
    deny all;
  '';
  networking.firewall = {
    extraInputRules = ''
      ip saddr { 141.30.0.0/16, 141.76.0.0/16, 217.160.244.15/32 } tcp dport 25565 accept comment "Allow minecraft access from TU network and jonas monitoring"
    '';
  };
  users.users.minecraft = {
    isNormalUser = true;
    isSystemUser = lib.mkForce false;
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILkxTuzjS3EswMfj+wSKu9ciRyStvjDlDUXzkqEUGDaP rouven@thinkpad"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOhdjiPvtAo/ZV36RjBBPSlixzeP3VN6cqa4YAmM5uXM ff00005@ff00005-laptop" # malte
    ];
  };
  security.sudo.extraRules = [
    {
      users = [ "minecraft" ];
      commands = [
        { command = "/run/current-system/sw/bin/systemctl restart minecraft-server-ifsr"; options = [ "NOPASSWD" ]; }
        { command = "/run/current-system/sw/bin/systemctl start minecraft-server-ifsr"; options = [ "NOPASSWD" ]; }
        { command = "/run/current-system/sw/bin/systemctl stop minecraft-server-ifsr"; options = [ "NOPASSWD" ]; }
      ];
    }
  ];
 }
--- a/modules/monitoring.nix
+++ b/modules/monitoring.nix
@ -85,13 +85,6 @@ in
        }];
        # scrape_interval = "60s";
      }
      {
        job_name = "rspamd";
        static_configs = [{
          targets = [ "rspamd.ifsr.de:11334" ];
        }];
        scrape_interval = "15s";
      }
    ];
  };
--- a/modules/nextcloud.nix
+++ b/modules/nextcloud.nix
@ -15,7 +15,7 @@ in
    nextcloud = {
      enable = true;
      configureRedis = true;
-      package = pkgs.nextcloud29;
+      package = pkgs.nextcloud28;
      hostName = domain;
      https = true; # Use https for all urls
      phpExtraExtensions = all: [
@ -30,7 +30,7 @@ in
      database.createLocally = true;
      # enable HEIC image preview
-      settings.enabledPreviewProviders = [
+      extraOptions.enabledPreviewProviders = [
        "OC\\Preview\\BMP"
        "OC\\Preview\\GIF"
        "OC\\Preview\\JPEG"
--- a/modules/web/crimecampus.nix
+++ b/modules/web/crimecampus.nix
@ -0,0 +1,7 @@
 { config, pkgs, ... }:
 let
  domain = "cc.${config.networking.domain}";
 in
 {
    services.nginx.virtualHosts."${domain}".root = "/srv/web/regex";
 }
--- a/modules/web/default.nix
+++ b/modules/web/default.nix
@ -1,6 +1,7 @@
 { ... }:
 {
  imports = [
    ./crimecampus.nix
    ./ifsrde.nix
    ./ese.nix
    ./infoscreen.nix
@ -11,6 +12,5 @@
    ./sharepic.nix
    ./userdir.nix
    ./ftp.nix
    ./hyperilo.nix
  ];
 }
--- a/modules/web/ese.nix
+++ b/modules/web/ese.nix
@ -5,7 +5,7 @@ let
 in
 {
  sops.secrets."directus_env" = { };
-  environment.systemPackages = [ pkgs.nodejs_22 ];
+  environment.systemPackages = [ pkgs.nodejs_21 ];
  virtualisation.oci-containers = {
    containers.directus-ese = {
      image = "directus/directus:latest";
@ -21,13 +21,13 @@ in
        "DB_DATABASE" = "directus_ese";
        "DB_USER" = "directus_ese";
        "PUBLIC_URL" = "https://directus-ese.ifsr.de";
-        "AUTH_PROVIDERS" = "keycloak";
+        "AUTH_PROVIDERS"="keycloak";
        "AUTH_KEYCLOAK_DRIVER" = "openid";
        "AUTH_KEYCLOAK_CLIENT_ID" = "directus-ese";
        "AUTH_KEYCLOAK_ISSUER_URL" = "https://sso.ifsr.de/realms/internal/.well-known/openid-configuration";
        "AUTH_KEYCLOAK_IDENTIFIER_KEY" = "email";
-        "AUTH_KEYCLOAK_ALLOW_PUBLIC_REGISTRATION" = "true";
+        "AUTH_KEYCLOAK_ALLOW_PUBLIC_REGISTRATION"="true";
-        "AUTH_KEYCLOAK_DEFAULT_ROLE_ID" = "a6b7a1b6-a6fa-442c-87fd-e37c2a16424b";
+        "AUTH_KEYCLOAK_DEFAULT_ROLE_ID"="a6b7a1b6-a6fa-442c-87fd-e37c2a16424b";
      };
      environmentFiles = [
        config.sops.secrets."directus_env".path
@ -69,7 +69,7 @@ in
    };
    virtualHosts."${domain}" = {
      locations."= /" = {
-        return = "301 /2024/";
+        return = "301 /2023/";
      };
      locations."/" = {
        root = "/srv/web/ese/served";
--- a/modules/web/hyperilo.nix
+++ b/modules/web/hyperilo.nix
@ -1,23 +0,0 @@
 { config, lib, pkgs, ... }:
 {
  # provide access to iLO of colocated server
  # in case of questions, contact @bennofs
  services.nginx.virtualHosts."hyperilo.deutschland.gmbh" = {
    forceSSL = true;
    locations."/".proxyPass = "https://192.168.0.120:443";
    locations."/".basicAuthFile = "/run/secrets/hyperilo_htaccess";
    locations."/".extraConfig = ''
      proxy_ssl_verify off;
    '';
  };
  systemd.network.networks."20-hyperilo" = {
    matchConfig.Name = "eno8303";
    address = [ "192.168.0.1/24" ];
    networkConfig.LLDP = true;
    networkConfig.EmitLLDP = "nearest-bridge";
  };
  sops.secrets."hyperilo_htaccess".owner = "nginx";
 }
--- a/modules/web/userdir.nix
+++ b/modules/web/userdir.nix
@ -56,7 +56,6 @@ in
        display_errors=0
        post_max_size = 40M
        upload_max_filesize = 40M
        extension=sysvsem.so
      '';
    };
  };
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -2,7 +2,6 @@ _final: prev:
 let
  inherit (prev) fetchurl;
  inherit (prev) fetchFromGitHub;
  inherit (prev) callPackage;
 in
 {
  # AGDSN is running an outdated version that we have to comply to
@ -14,27 +13,16 @@ in
    };
  }));
  # (hopefully) fix systemd journal reading
-  # prometheus-postfix-exporter = prev.prometheus-postfix-exporter.overrideAttrs (_old: {
+  prometheus-postfix-exporter = prev.prometheus-postfix-exporter.overrideAttrs (_old: {
-  #   patches = [
+    patches = [
-  #     ./prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch
+      ./prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch
  #   ];
  #   src = fetchFromGitHub {
  #     owner = "adangel";
  #     repo = "postfix_exporter";
  #     rev = "414ac12ee63415eede46cb3084d755a6da6fba23";
  #     hash = "sha256-m1kVaO3N7XC1vtnxXX9kMiEFPmZuoopRUYgA7gQzP8w=";
  #   };
  # });
  # Mailman internal server error fix
  # https://gitlab.com/mailman/mailman/-/issues/1137
  # https://github.com/NixOS/nixpkgs/pull/321136
  pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
    (python-final: python-prev: {
      readme-renderer = python-prev.readme-renderer.overridePythonAttrs (oldAttrs: {
        propagatedBuildInputs = [ python-prev.cmarkgfm ];
      });
    })
    ];
    src = fetchFromGitHub {
      owner = "adangel";
      repo = "postfix_exporter";
      rev = "414ac12ee63415eede46cb3084d755a6da6fba23";
      hash = "sha256-m1kVaO3N7XC1vtnxXX9kMiEFPmZuoopRUYgA7gQzP8w=";
    };
  });
  keycloak_ifsr_theme = callPackage ../modules/keycloak/theme.nix {};
 }
--- a/secrets/quitte.yaml
+++ b/secrets/quitte.yaml
Author	SHA1	Message	Date
Rouven Seifert	4fdca3ba1a	forgejo actions: disable native for now	2024-06-03 12:17:34 +02:00
Rouven Seifert	a5c1b6d494	Merge branch 'forgejo-runner' of ifsr.de:wurzel/fruitbasket into forgejo-runner	2024-06-03 12:15:07 +02:00
Rouven Seifert	df66ad3870	forgejo: initial runner configuration	2024-06-03 12:13:52 +02:00
Rouven Seifert	a94ec1eab8	forgejo: initial runner configuration	2024-04-11 15:31:31 +02:00